Windows management instrumentation, also known as WMI, is an App on Windows that allows a user to query all sorts of things about a system. Being native to Windows, it is an attractive target for a attackers to leverage. This week I'll break do

DFSP # 426 - SSH Forensics: Log Analysis

14 days ago 22m 4s

This week I'm wrapping up my series on SSH forensics with a discussion on SSH log triage. Logs are usually what an analyst will start with, so this episode is important. There are a few different log types, and there is a pitfall with one of th

DFSP # 425 - SSH Forensics: Host-Based Artifacts

21 days ago 30m 54s

In the last episode on this topic, I covered SSH from a investigation point of view. I explained SSH and the artifacts that typically come up when your investigating. In this episode, we're getting into the triage methodology. This includes the

DFSP # 424 - SSH Forensics: Understanding Secure Shell

28 days ago 23m 12s

SSH is a protocol used to secure remote access to systems, making it a cornerstone in safeguarding sensitive information and ensuring secure communications. In this podcast, we will delve into the basics of SSH, its key concepts and other usefu

DFSP # 423 - Guiding Lights: Cyber Investigations Investigation Lifecycle

Mar 26th, 2024 30m 51s

This week I'm discussing a fundamental aspect of cybersecurity: incident response preparation. Effective incident response is paramount, and preparation is the key to success. This preparation includes comprehensive documentation, training, hav

DFSP # 422 - EVTX Express: Cracking into Windows Logs Like a Pro

Mar 19th, 2024 21m 7s

Today I'm talking Windows forensics, focusing on Windows event logs. These logs are very valuable for fast triage, often readily available in your organization's SIEM. But have you ever wondered about the processes enabling this quick access? N

DFSP # 421 - Memory Lane: Fileless Linux Attacks Unraveled

Mar 12th, 2024 25m 42s

In this podcast episode, we talk about Linux's `memfd` – a virtual file system allowing the creation of anonymous memory areas for shared memory or temporary data storage. Threat actors exploit `memfd` for fileless malware attacks, as its memor

DFSP # 420 - Failing, Stopping and Crashing

Mar 5th, 2024 22m 30s

This week we explore into the world of Windows service event codes and their role in forensic investigations. Windows services are background processes crucial for system functionality, running independently of user interaction- making them ide

DFSP # 419 - What the Flux

Feb 27th, 2024 27m 49s

This week, we're delving into the realm of fast flux, a cunning technique employed by attackers to cloak their true, malicious domains. Its effectiveness is the reason behind its widespread use, making it crucial for analysts to grasp its nuanc

DFSP # 418 - Core Insights: Navigating MFT in Forensics

Feb 20th, 2024 22m 10s

In this week's exploration, I'm delving into the intricate realm of the Master File Table (MFT), a pivotal forensic artifact in Windows investigations. The MFT provides a valuable gateway to decode evidence across various scenarios. Join me in

DFSP # 417 - Unlocking Linux Secrets

Feb 13th, 2024 32m 20s

This week I delve into the intriguing domain of Linux malware triage. The Linux platform presents forensic analysts with a unique opportunity to excel in performing malware triage effortlessly. The beauty of it lies in the fact that you don't r

DFSP # 416 - Persistence Mechanisms on Windows

Feb 6th, 2024 25m 56s

This week I’m going to talk about New Service Installation details recorded in Windows event logs. These have a number of advantages for your triage methodology and I will have all the details coming up.

DFSP # 415 - Dealing with Third-Party Incidents

Jan 30th, 2024 20m 32s

Organizations leverage third-party services more and more for business advantages. For the security professional, this means the organizational data you're charged with protecting is under the control of a third-party in some way shape or form.

DFSP # 414 - CRON Forensics

Jan 23rd, 2024 14m 18s

Cron become important and Linux forensics when you’re talking about persistence. Think scheduled tasks if you want a Windows equivalent. The artifact is not that difficult to analyze once you understand the elements to focus on and it is typica

DFSP # 413 - Ransomware Initial Response

Jan 16th, 2024 16m 55s

Ransomware cases can be particularly challenging, especially during the initial response. They tend to be fast-paced and require the responder to simultaneously prioritize a number of tasks. Each of these tasks can have critical impact upon the

DFSP # 412 - Conhost Forensics

Jan 9th, 2024 19m 2s

Conhost, or the Console Application Host, often comes up during investigations. Understanding what it is, the evidence may contain and how to extract that information becomes important...

DFSP # 411 - NTLM Credential Validation

Jan 2nd, 2024 18m 9s

This week I'm talking about detecting evidence of lateral movement on Window systems using NTLM credential validation events. Much like the episode I did on Kerberos, NTLM events offer the same advantage of being concentrated on domain controll

DFSP # 410 - Linux Temp Directories

Dec 26th, 2023 15m 38s

Temporary directories play a significant role in computer forensic investigations as they can potentially contain valuable digital evidence. When conducting a computer forensic investigation, these temporary directories can provide insights int

DFSP # 409 - Regsvcs and Regasm Abuse

Dec 19th, 2023 11m 14s

This week I’m talking about Regsvcs /Regasm exploitation, which is a Windows tactic attackers use to evade defense mechanisms and execute code. Specifically, this technique can be used to bypass process whitelisting and digital certificate vali

DFSP # 408 - Nesting

Dec 12th, 2023 13m 22s

This week I’m talking about Nested Groups and the risk they pose for security. Built-in to the functionality of Active Directory is the ability to attach a group to another group. While this has advantages for account administration across an o

DFSP # 407 - More About Lateral Movement and Kerberos

Dec 5th, 2023 19m 21s

This week it's more about lateral movement and kerberos events.

DFSP # 406 - All the BIN Directories

Nov 28th, 2023 14m 49s

In a typical Linux "bin" directory, you can find various types of executable files and scripts that are used to perform different tasks. The confusing part is that there are a number of different BIN directories throughout the file system. What

DFSP # 405 - Werfault Attacks

Nov 21st, 2023 14m 39s

Werfault is in interesting artifact in that there is not a lot of documentation on it but yet it may affect an investigation in different ways. Its appearance in logs sometimes adds a bit of confusion to an investigation because it could mean

DFSP # 404 - Certutil Attacks

Nov 14th, 2023 12m 19s

Certutil, a powerful command-line utility, possesses the potential for misuse by malicious actors to establish illicit network connections. Therefore, it is crucial to familiarize oneself with its legitimate applications and recognize common in

DFSP # 403 - Lateral Movement Kerberos Auth Events

Nov 7th, 2023 15m 40s

This week I'm going to cover an important Windows event that provides valuable information about authentication attempts and potential security breaches. The event may be used to identify compromised accounts, identify brute, force, attacks, or